Methods of operating a system for management of implantable medical devices (IMDs) using reconciliation operations and revocation data

ABSTRACT

In one embodiment, a method for operating a system for management of implantable medical devices (IMDs), comprises: conducting communications sessions with a plurality of clinician programmer devices, wherein some of the communication sessions occur while the plurality of clinician programmer devices are engaged in respective programming sessions with IMDs; conducting communications sessions with a plurality of patient controller devices, wherein the communication sessions with the patient controller devices include communication of data pertaining to offline programming of IMDs; reconciling programming session data received from the plurality of clinician programmer devices with programming session data received from patient controller devices to identify instances of unauthorized IMD programming; and distributing revocation data to patient controller devices to be downloaded to corresponding IMDs, wherein the revocation data identifies cryptographic keys that are no longer trusted.

Implantable medical devices have changed how medical care is provided topatients with a number of chronic illnesses and disorders. For example,implantable cardiac devices improve cardiac function in patients withheart disease by improving quality of life and reducing morality rates.Respective types of implantable neurostimulators provide a reduction inpain for chronic pain patients and reduce motor difficulties in patientswith Parkinson's disease and other movement disorders. A variety ofother medical devices are proposed and are in development to treat otherdisorders in a wide range of patients.

Many implantable medical devices and other personal medical devices areprogrammed by a physician or other clinician to optimize the therapyprovided by a respective device to an individual patient. For someimplantable device legacy designs, the programming occurs usinginductive wireless telemetry. An external coil is placed on a givenpatient's body to inductively couple to a coil in the device implantedwithin the patient's body. The program values or parameters arecommunicated over the telemetry connection. Since the inductive couplingrequires close immediate contact, there is a very small likelihood of athird party establishing a communication session with the patient'simplanted device without the patient's knowledge.

More recent implantable devices employ wireless telemetry over greaterdistances using radio frequency protocols. For example, selectedimplantable medical devices employ low energy BLUETOOTH® to communicateprogramming data between an external programmer device and a respectiveimplanted device, Certain mechanisms are implemented to provide a degreeof security for the communication of data between the external andimplanted devices.

Also, a number of device management, home care, or remote care networks(collectively referred to herein as device management system) have beendeveloped or proposed to allow remote access to physiological and otherdata stored by implanted devices of patients and possibly to reprogramoperations of the implanted devices of patients in certaincircumstances.

Although the adoption of longer range telemetry capabilities and remotecare networks provides a number of clinical benefits to patient care,there is some risk of malicious parties inappropriately accessingpatient data and/or effecting the medical therapy provided by implantedor other personal medical devices.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 depicts a system in which an implanted medical device isprogrammed according to some representative embodiments.

FIG. 2 depicts a system in which an implanted medical devicecommunicates with patient controller device which, in turn, communicateswith one or more remote device management servers.

FIG. 3A depicts an implantable or personal medical device according tosome embodiments.

FIG. 3B depicts a clinician programmer device according to someembodiments.

FIG. 4 depicts a programming work flow according to some embodimentswhere network connectivity is not available during an initialprogramming session.

FIG. 5 describes operations performed after a clinician has performednon-networked programming sessions according to some embodiments.

FIG. 6 depicts programming data analysis operations according to someembodiments to detect and remediate instances of unauthorizedprogramming.

FIG. 7 depicts programming data validation operations for offlineprogramming according to some embodiments.

FIG. 8 depicts a neurostimulation system adapted according toembodiments disclosed herein.

FIGS. 9A-9C depict portions of stimulation leads that may be used in theneurostirnulation system of FIG. 8.

FIG. 10 depicts a computer platform for management of medical devicesaccording to some embodiments.

FIG. 11 depicts medical devices managed by a medical device managementsystem according to some embodiments.

SUMMARY

In certain embodiments, an implantable medical device (IMD) is adaptedto conduct operations according to programming data defined by one ormore clinicians. The IMD verifies the validity of the programming datausing validation data before conducting device operations according tothe programming data. The IMD is adapted to communicate with one or morepatient controller devices and/or clinician programmer devices. Thepatient controller devices and/or clinician programmer devices may inturn communicate with a device management system. The programming datamay be signed by one or more keys to assist the verification operations.The validation data may be generated by a device management system. Thevalidation data may be generated by a clinician programmer.

In some embodiments, the IMD is selected from the list consisting of: aneurostimulation device, a cardiac rhythm management device, animplantable drug delivery pump, and an insulin dispensing device.

In some embodiments, a method of programming an implantable medicaldevice (IMD) to provide therapeutic operations for a patient, comprises:conducting a first communication session between the IMD with anexternal programming device when network connectivity for a remoteserver for medical device management is not available for the externalprogramming device; receiving programming data by the IMD from theexternal programming device to provide therapeutic operations accordingto at least one instance of settings data during the first communicationsession, wherein the at least one instance of settings data is validatedby a temporary key; conducting a second communication session betweenthe IMD with an external device when network connectivity to the remoteserver for medical device management is available for the externaldevice; receiving validation data for the at least one instance ofsettings data that is signed with a key corresponding to the IMD;processing the received validation data to verify the receivedvalidation data against a key of the IMD; and replacing validation datasigned using the temporary key with the received validation data. Themethod may also comprise conducting therapeutic operations according tothe at least one instance of settings data to provide a therapy to thepatient after determining that the at least one instance of settingsdata is verified.

In some embodiments, the temporary key corresponds to a clinician orclinician device. In some embodiments, the IMD stores a collection oftemporary keys and the IMD searches the collection for a matching keyfor validation data signed with a temporary key during verificationoperations. In some embodiments, the external device that has networkaccess is a patient controller device adapted to communicate with theIMD. In some embodiments, the external device that has network access isa clinician programmer device adapted to communicate with the IMD. Insome embodiments, the IMD causes a respective instance of settings datathat is validated by a temporary key to become invalid after a definedperiod of time passes without replacement by validation data signed witha key corresponding to the IMD. In some embodiments, the IMD reverts toone or more default therapeutic settings upon invalidation of therespective instance of settings data.

In some embodiments, a clinician programmer device for programming animplantable medical device (IMD) comprises: a processor for executinginstructions to control the clinician programmer device; wirelesscommunication circuitry for communicating with the IMD and forcommunicating with a remote server for medical device management; andmemory for storing data and executable instructions, wherein theexecutable comprises code for causing the processor to (1) provide oneor more user interface (UI) screens to interact with a clinician todefine therapeutic settings for the IMD, (2) validate the therapeuticsettings with the remote server when network connectivity is obtained byobtaining validation data from the remote server that is signed with akey corresponding to the IMD, (3) create validation data that is signedwith a temporary key when network connectivity to the remote server isnot available, and (4) communicate the therapeutic settings andvalidation data to the IMD to control therapeutic operations of the IMD.

In some embodiments, the executable instructions of the clinicianprogrammer device comprise code to cause the processor to (a) query theIMD to identify prior therapeutic settings with validation data signedwith a temporary key, (b) communicate with the remote server whennetwork connectivity is available to validate the prior therapeuticsettings by obtaining updated validation data signed with a keycorresponding to the IMD, and (c) communicate the updated validationdata to the IMD. The communication circuitry of the clinician programmerdevice may comprise a first and second set of communication circuity forproviding at least two different wireless communication protocols.

In some embodiments, an implantable medical device (IMD) comprises:therapeutic circuitry for controlling delivery of a medical therapy to apatient; a processor for controlling the IMD according to executablecode; wireless communication circuitry for conducting wirelesscommunications; and memory for storing data and executable code, whereinthe executable comprises code for causing the processor to (1)communicate with an external programming device to define therapeuticsettings for operation of the IMD, (2) perform validation operations onone or more instances of therapeutic settings by determining whether arespective instance of therapeutic settings is accompanied by validationdata signed with a key corresponding to the IMD or by a temporary key,and (3) replace instances of validation data signed with a temporary keyupon a subsequent communication session with an external device that hasnetwork access to a remote server for remote medical device managementoperations. In some embodiments, the memory of the IMD stores acollection of temporary keys and the processor searches the collectionfor a matching key for validation data signed with a temporary key.

In some embodiments, a method for operating a system for management ofimplantable medical devices (IMDs), comprises: conducting communicationsessions with a plurality of clinician programmer devices while theclinician programmer devices are engaged in respective programmingsessions with IMDs; signing first validation data for first programmingdata with keys corresponding to respective IMDs; communicating the firstsigned validation data to corresponding clinician programmers forcommunication to respective IMDs to cause the IMDs to conducttherapeutic operations according to programming data validated byrespective instances of validation data; receiving and storing secondprogramming data from a plurality of clinician programmer devices,wherein the second programming data was created during programmingsessions with IMDs without network connectivity to the system formanagement of IMDs; conducting communication sessions with patientcontroller devices for a plurality of IMDs that were programmed with thesecond programming data; reconciling programming of the plurality ofIMDs that were programmed with the second programming data with datastored by the system for management of IMDs; generating secondvalidation data for instances of the second programming data with keyscorresponding to respective IMDs; and communicating the second signedvalidation data to cause IMDs to conduct therapeutic operationsaccording to programming data validated by respective instances ofsecond validation data.

In some embodiments, an implantable medical device (IMD) comprises:therapeutic circuitry for controlling delivery of a medical therapy to apatient; a processor for controlling the IMD according to executablecode; wireless communication circuitry for conducting wirelesscommunications; and memory for storing data and executable code, whereinthe executable comprises code for causing the processor to (1)communicate with an external programming device to define therapeuticsettings for operation of the IMD, (2) perform validation operations onone or more instances of therapeutic settings by determining whether arespective instance of therapeutic settings is accompanied by permanentvalidation data or temporary validation data, wherein the validationoperations comprise analyzing temporary validation data against at leastone key of a plurality of cryptographic keys stored by the IMD, and (3)communicate with an external programming device or patient controllerdevice according to a revocation protocol for receipt of availablerevocation data from a remote device management system, wherein therevocation data identifies one or more cryptographical keys of theplurality of cryptographic keys that are no longer trusted.

In some embodiments, a method for operating a system for management ofimplantable medical devices (IMDs), comprises: conducting communicationssessions with a plurality of clinician programmer devices, wherein someof the communication sessions occur while the plurality of clinicianprogrammer devices are engaged in respective programming sessions withIMDs and wherein the communication sessions with the plurality ofclinician programmer devices include communication of data pertaining tooffline programming of IMDs; conducting communications sessions with aplurality of patient controller devices, wherein the communicationsessions with the patient controller devices include communication ofdata pertaining to offline programming of IMDs; reconciling programmingsession data received from the plurality of clinician programmer deviceswith programming session data received from patient controller devicesto identify instances of unauthorized IMD programming; and distributingrevocation data to patient controller devices to be downloaded tocorresponding IMDs, wherein the revocation data identifies cryptographickeys that are no longer trusted.

In some embodiments, the method further comprises: identifying alegitimate clinician programmer device that uses a cryptographic key tobe revoked; replacing the cryptographic key on the legitimate clinicianprogrammer device during a communication session with the respectiveclinician programmer device.

In some embodiments, a method of programming an implantable medicaldevice (IMD) to provide therapeutic operations for a patient, comprises:conducting a first communication session between the IMD with anexternal programming device; receiving first programming data by the IMDfrom the external programming device to provide therapeutic operationsaccording to at least one instance of settings data during the firstcommunication session; receiving second programming data by the IMD fromthe external programming device to define limitations of reprogrammingduring offline programming sessions; conducting a second communicationsession between the IMD with an external programming device when networkconnectivity with a remote server of a medical device management is notavailable for the external programming device; receiving thirdprogramming data by IMD from the external programming device to providetherapeutic operations according to at least one instance of settingsdata during the second communication session; determining whether thethird programming data is permitted according to limitations defined bythe second programming data; and conducting therapeutic operations bythe IMD according to the third programming data after determining thatthe third programming data is permitted.

In some embodiments, an implantable medical device (IMD) comprises:therapeutic circuitry for controlling delivery of a medical therapy to apatient; a processor for controlling the IMD according to executablecode; wireless communication circuitry for conducting wirelesscommunications; and memory for storing data and executable code, whereinthe executable comprises code for causing the processor to (1)communicate with a respective external programming device to definetherapeutic settings for operation of the device while the respectiveexternal programming device is in online or offline communication stateswith a device management system, (2) communicate with an externalprogramming device to define offline programming limitations, (3)perform validation operations on one or more instances of therapeuticsettings by determining whether a respective instance of therapeuticsettings is accompanied by validation data, and (4) determine whether arespective instance of therapeutic settings is consistent withpreviously communicated limitations for offline programming if therespective instance of therapeutic settings is not accompanied byvalidation data from the device management system.

DETAILED DESCRIPTION

FIG. 1 depicts a system in which an implanted medical device isprogrammed according to some representative embodiments. The implantedmedical device (not shown in FIG. 1) is implanted within patient 101.Examples of suitable implantable medical devices includeneurostimulators such as the Protege™, Prodigy™, Proclaim™, Infinity™pulse generators available from Abbott (Plano Tex.). Also, other exampleimplantable medical devices include cardiac rhythm management devicesand cardiac devices include Ellipse™ implantableCardioverter/Defibrillator (ICDs), Fortify Assura™ ICDs, Assurity MRI™pacemakers, and Endurity™ pacemakers available from Abbott (Sylmar,Calif.). Any suitable implantable medical device or personal medicaldevice may operate according to embodiments described herein.

At appropriate times, the implanted medical device of patient 101communicates with clinician programmer device 102 which is operated byone or more clinicians 105. The programming clinician 105 utilizes oneor more user interface screens of device 102 to define or control atherapy provided to patient 101 by the implanted medical device. Theclinician(s) may define or set one or more therapy parameters. Forexample, the clinician may define pulse amplitudes, pulse frequencies,pulse patterns, pacing delays, and/or a variety of other therapyparameters depending upon the implanted device and the intended therapyfor patient 101. Examples of programming parameters for neurostimulationdevices may be found in (1) Parameters of Spinal Cord Stimulation andTheft Role in Electrical Charge Delivery: A Review, Neuromodulation.2016 June; 19(4):373-84, Miller et al.; (2) Novel Spinal CordStimulation Parameters in Patients with Predominant Back Pain,Neuromodulation 2013; 16:370-375, Jeffrey Tiede et al.; (3) Are 10 kHzStimulation and Burst Stimulation Fundamentally the Same?Neuromodulation 2017; 20:650-653, Dirk De Ridder et al. An example ofprogramming methodology for cardiac rhythm management devices may befound in Insights From a Cardiac Resynchronization Optimization Clinicas Part of a Heart Failure Disease Management Program, Journal of theAmerican College of Cardiology, Volume 53, Issue 9, March 2009, WilfriedMullens et al.

During a programming session, programming data is communicated fromclinician programmer device 102 to one or more remote device managementservers 104 via network 103. The set of programming data is subjected toauthorization and validation processes to ensure that only programmingdata from authorized clinicians will accepted by the implanted medicaldevice of patient 101. Suitable security algorithms may be employed tovalidate and authorize communication between clinician programmer device102 and servers 104, such as communication of user/clinicianidentifiers, passwords, device identifiers, network identifiers,security/cryptographic keys, digital certificates, location data, and/orthe like. Also, this application discloses novel security algorithms forvalidation, authorization, and other security related operations forprogramming data for respective embodiments.

Conventional security algorithms may be applied to assist portions ofthe communication of pro ramming data and/or other patient dataaccording to some embodiments. Conventional information technologyproducts use “Identification” protocols to provide user identity (in theform of a user ID) to one or more relevant security systems. A givensecurity system will typically search through all the security objectsthat it manages to identify the specific identity corresponding to thedata supplied from a respective user.

The fact that the user claims to be represented by a specific identityobject (identified by its user ID) does not necessarily mean that thisis true. To ascertain that an actual user can be mapped to a specificabstract user object in the system, and therefore be granted user rightsand permissions specific to the abstract user object, the user mustprovide evidence to prove his identity to the system. Authentication isthe process of ascertaining claimed user identity by verifyinguser-provided evidence. A respective instance of evidence provided by auser in the process of user authentication is called a credential.Different systems may require different types of credentials toascertain user identity and may even require more than one credential.In computer systems, the credential very often takes the form of a userpassword, which is a secret known only to the individual and the system.Credentials may take other forms, however, including PIN numbers,certificates, tickets, etc.

Authorization is the process of determining whether an alreadyidentified and authenticated user is allowed to access informationresources in a specific way. Authorization is often the responsibilityof the service providing access to a resource. Access control lists arefrequently employed to manage authorization operations.

A discussion of conventional security protocols may be found in “Cloudcomputing security requirements: A systematic review,” 2012 SixthInternational Conference on Research Chailenges in Information Science(RCIS), Valencia, 2012, pp. 1-7. (doh 10.1109/RCIS.2012.6240421) whichis incorporated herein by reference. A further example of a known useridentification and authentication system for cloud applications isdescribed in U.S. Pat. No. 9,172,605 which is incorporated herein byreference.

Servers 104 may also assist in validation and creation of theprogramming data. For example, servers 104 may compare the programmingdata submitted by a clinician for review by one or more automatedvalidation processes created to optimize therapies based on previouslydetermined clinical data. If there is a discrepancy or a possibleimprovement, servers 104 may communicate suggested changes to theclinician(s) operating device 102. Also, servers 104 may offerapplication services to assist the programming process. For example,servers 104 may serve user interface screens using a suitable protocol(e.g., HTML) to device 102 to permit the clinician(s) to define thetherapy for patient 101.

When the given set of programming data is suitably defined, server(s)104 generate data to permit the programming data to control thetherapeutic operations of the implanted medical device of patient 101.Specifically, if server(s) 104 determine that clinician programmer 104is being operated by a properly identified clinician with properprogramming permissions, server(s) 104 may generateauthorization/validation data to accompany the programming data.Server(s) 104 communicate the authorization/validation data to clinicianprogramming device 102 via network 103. Clinician programming device 102communicates the programming data and the authorization/validation datato the implanted medical device of patient 101. The implanted medicaldevice of patient 101 analyzes the authorization/validation data. If theauthorization/validation data is determined by the implanted medicaldevice to be valid, the implanted medical device conducts therapyoperations (e.g., generating electrical pulses for application to tissueof the patient, delivery of pharmaceuticals, and/or the like) accordingto the programming data.

As used herein, validation data is data that provides information toascertain the integrity of the programming data and/or whether theprogramming data was generated by a properly authorized clinician orother user. Validation data may be generated by generating a value fromtherapeutic settings and/or programming metadata using a checksum,digest, or other suitable function. The function may include applicationof one or more cryptographic keys or the result of the function may bevaried by application of one or more cryptographic keys. The respectivekeys used for cryptographic processing may include keys selectedaccording to public-key cryptography or asymmetric cryptography (e.g.,RSA (Rivest-Shamir-Adleman) cryptography and Elliptic Curve Cryptography(ECC)). Additional details regarding generation of the validation datais discussed herein.

FIG. 2 depicts a system in which an implanted medical devicecommunicates with patient controller device 201 which, in turn,communicates with one or more remote device management servers 104.Patient 101 may utilize patient controller device 201 for one or more ofa variety of tasks. For example, patient 101 may interact with patientcontroller device 201 to check the status of the patient's implantedmedical device (battery level, current operating mode, etc.). Also, theimplanted medical device may monitor physiological signal or processesof the patient. Patient controller device 201 may communicate with theimplanted medical device to access stored physiological data. Thepatient controller device 201 may display a suitable indication of thepatient's condition (e.g., heart rate, glucose level, neurologicalactivity, etc.). The accessed physiological or other patient data may becommunicated to one or more servers 104. The physiological data may beanalyzed to monitor the patient's condition. For example, thephysiological data may be analyzed to identify if the patient isexperiencing undesired cardiac conditions such as episodes oftachycardia, arrhythmias, and other conditions. Automated processing mayoccur to identify relevant medical conditions. Alerts to the patient 101or to the patient's medical professions may be given by patientcontroller 201 and/or server(s) 104 if warranted by the physiologicaldata.

Also, depending upon the implanted medical device, patient 101 mayinteract with patient controller device 201 to control some aspects ofthe patient's therapy. For example, neurostimulation devices frequentlyinclude multiple stimulation programs. Depending upon the patient'sexperience of pain at any given time, the patient may switch betweenavailable programs to select the program that provides the most suitablepain relief. Also, patient controller device 201 may enable patient 101to control stimulation amplitude (for certain neurostimulation devices).Patient 101 may enter relevant information via one or more userinterface screens to control stimulation. For example, the implantedmedical device may employ different therapy settings when the patient isasleep or when the patient is active. The patient may provide suitableinput to switch between these therapy settings at times desired by thepatient. Alternatively, the implanted medical device may modifyoperations depending upon the intake or ingestion of pharmaceuticalagents by patient 101. The patient may enter relevant information viapatient controller device 201 to indicate such events. The controllerdevice 201 may communicate the information to the implanted medicaldevice which controls its operations according to the communicatedinformation.

As previously discussed, the implanted medical device may validatetherapy parameters downloaded to the device before conductingtherapeutic operations according to the values.

Although operating a device management system to provide validation datareduces the probability of a malicious third party from programmingimplantable medical devices (IMDs) without authorization, networkconnectivity is required to permit the communication with one or moreservers of the device management system. In certain environments oroccasions, network connectivity may not be possible for a clinician. Forexample, many health care facilities do not provide consistent networkaccess in all locations. If an implantable medical device managementsystem is implemented where immediate network connectivity is required,clinicians would have significant burdens to complete required medicalprotocols for medical device management operations.

Some embodiments provide a multi-stage programming methodology that doesnot require network connectivity for all operations of deviceprogramming. In some embodiments, IMDs and clinician programmers areadapted to permit device programming in an offline mode (i.e., withoutan available network connection to a server of a device managementsystem). Offline programming is followed up by subsequent connection tothe device management system by patient controller devices and/orclinician programmer devices. In subsequent communication sessions,validation data can be downloaded to IDs to manage the integrity andsecurity of programming data of the IMDs.

In some representative embodiments, patient IMDs and clinicianprogrammers include functionality to limit or reduce the probability ofa malicious individual from exploiting the offline programming toprovide unauthorized programming for patient IMDs. In certainembodiments, a clinician programmer will generate temporary validationdata that is signed with a cryptographic key assigned to the clinicianprogrammer and/or the clinician. A respective IMD will check thetemporary validation data against an internal store of cryptographicalkeys before conducting therapeutic operations according to theprogramming data. A malicious individual will need to duplicate thefunctionality of the clinician programmer and compromise a secret keybefore being able to exploit the offline programming mode.

Although the use of cryptographic keys decreases the probability of anindividual user from conducting unauthorized device programming,cryptographic keys can become compromised. For example, certaincryptographic key pairs have been shown to be computationally identifiedmuch more quickly and with fewer processing resources than theoreticallimits. In some embodiments, IMDs are adapted to communicate throughclinician programmer devices and/or patient controller devices with thedevice management system to obtain revocation data. The revocation datamay identify one or more cryptographic keys that are no longer trusted.Accordingly, if a malicious individual is detected using a compromisedkey, future programming sessions using the cryptographic key may beblocked.

In other embodiments, revocation data may revoke the validity ofspecific instances of programming data. For example, the devicemanagement system may be used to audit programming data and programmingmetadata to identify specific instances of unauthorized programming.Identified unauthorized programming data may be reversed in addition torevoking future use of the compromised cryptographic key(s).

FIG. 3A depicts implantable or personal medical device 301 according tosome embodiments. Medical device 301 includes wireless communicationcircuitry 322 to conduct communication sessions with clinicianprogrammer 351 (shown in FIG. 3B) after implantation. Wirelesscommunication circuitry 352 may support communications using one or morecommunication protocols including inductive communication protocolsand/or the lower energy BLUETOOTH® protocol as examples.

Clinician programmer 351 includes processor 302, memory 353, andwireless communication circuitry 352. Memory 353 stores relevant dataand software code 356 to control operations of programmer 351. Memory353 may store an identifier (e.g., a serial number) of programmer 351for use during programming sessions. Also, memory 353 may storeclinician key 355 for use during programming session as discussedherein. Wireless communication circuitry 352 may include complementarycircuitry to conduct communications according to the protocol(s)implemented by medical device 301. Wireless communication circuity 352may also include additional wireless communication capabilities such ascircuitry for 802.11 protocols (“Wi-Fi”) for network communication withone or more servers of a device management system. Wirelesscommunication circuitry 352 may also include wireless telephony networkcommunication capabilities.

Medical device 301 includes one or more processors or controllers 302 tocontrol device operations. Medical device 301 includes medical ortherapy components 303 to provide the therapy to the patient and/or tomonitor or measure one or more physiological conditions of the patient.Medical device 301 includes memory 304 to store executable instructionsand data. The data may include a device identifier 305 and one or moredevice keys 306. For example, device key 306 may store one of a pair ofasymmetric encryption keys with the other key stored by server 104. Thepair of keys for a given device 301 may be used to securely create andemploy validation data according to some embodiments. Although thepresent disclosure refers to device key 306, the specific key selectedfor a given device need not necessarily be unique. The same key may beassigned to one or more devices (whether implantable medical devices,clinician programmers, and/or patient controller devices). Althoughdevice identifier 305 is shown as stored in memory 304, deviceidentifier 305 may be retained elsewhere in device 301. For example,many device components (e.g., processors, integrated circuits, wirelesscommunication circuitry, etc.) include identifiers that are hard-encodedin the components and are readily retrievable. The identifiers of thesubcomponents may be used as the medical device identifier in lieu of avalue stored in conventional memory of device 301 according to someembodiments. Memory 304 further stores software code 321 to controloperations of device 301. Software code 321 includes code to implementoperations discussed herein.

Device 301 includes one or more instances of programming data 308 inmemory 304 that defines how device 301 conducts therapeutic or medicaloperations according to some embodiments. In some embodiments, eachinstance of programming data 308 includes a program identifier. Also,each instance of programming data 308 includes a field for deviceidentifier data. The device identifier data in programming data 308 iscompared against the device identifier 305 to ensure that theprogramming data 308 is intended for use by the specific device 301.

Each instance of programming data 308 may include settings data (thevarious device parameters) that define the therapeutic or medicaloperations to be provided by device 301. For example, for aneurostimulation device for chronic pain, the settings data may includean electrode configuration for delivery of electrical pulses, astimulation pattern identifier (tonic stimulation, burst stimulation,noise stimulation, and/or the like), pulse parameters, one or morefrequency parameters, cycling parameters, timing parameters, and/or thelike.

Each instance of programming data 308 is accompanied with its respectivemetadata. The metadata may include relevant data that is not directlyused by device 301 to control specific device operations. For example,the metadata may include data that identifies the physician or clinicianthat created or programmed the settings data. The metadata may includean identifier of the clinician programmer device that was used to createthe settings data, the date of creation, the data of last modification,the physical location where programming occurred, and/or any otherrelevant data.

Each instance of programming data 308 includes validation data. Thevalidation data is used by device 301 to ensure that the settings datais intended for device 301 and is properly authorized to controloperations of device 301. In some embodiments, validation data iscreated using a checksum algorithm, a cryptographic hash function,and/or similar suitable processing. For example, the other data inprogramming data 308 may be represented by characters in respectivestrings. Each character in sequence is applied to the applicable hashfunction or suitable function to generate an output hash value orsimilar value. Known checksum functions apply exclusive-OR (XOR) and/ormodular sum operations in succession to each character or value in asequence of characters or values. The UNIX command “cksum” provides awell-known implementation of checksum operations as one example.

The checksum value or other relevant data may be encrypted with asuitable cryptographical key (e.g., the corresponding key of the keypair used for device 301). The encrypted data is then stored in device301 as the validation data in some embodiments.

When device 301 attempts to verify the validity of an instance ofprogramming data 308, device 301 recalculates the checksum value orrelevant data using the same methodology used to create the originalvalidation data in the instance of programming data 308 and generateslocal comparison data. Device 301 then decrypts the encrypted data ofthe validation data using its device key 306. Device 301 compares thedecrypted data against the local comparison data. If the two sets ofdata match, the settings data is valid and device 301 continues with itsoperations according to the settings data (assuming that there is noapplicable data in revocation data 307 to indicate otherwise asdiscussed herein for some embodiments).

As previously discussed, a cryptographic hash algorithm may be employedfor validation data operations according to some embodiments such as theSHA-1 (Secure Hash Algorithm 1) and SHA-2 (Secure Hash Algorithm 2) asexamples.

Under ordinary circumstances, device 301 is programmed by one or moreclinicians and the programming data is signed using a private encryptionkey of device 301 by server 104. Since server 104 is remote from theclinician(s) and device 301, a network connection is necessary tofacilitate the programming workflow. However, network connectivity isnot always available at the time of programming. In many institutionalfacilities, network connectivity in an operating room or other clinicalsetting can be intermittent or non-existent. A programming methodologythat requires network connectivity as a condition to create or testtherapeutic operations can be quite problematic for clinicians andpatients.

In some embodiments, an implantable medical device or personal medicaldevice is adapted to conduct programming operations with and withoutnetwork connectivity white maintaining flexibility to provideauthorization and validation operations to programming data.

FIG. 4 depicts a programming work flow according to some embodimentswhere network connectivity is not available during an initialprogramming session.

In 401, a clinician uses a clinician programmer device to establish acommunication connection between the clinician programmer and animplantable or personal medical device of the patient. The communicationconnection may be established using suitable communication methods suchas inductive wireless communication, low energy BLUETOOTH®communication, and medical band wireless communication as examples. Anexample of BLUETOOTH® communication between an implantable medicaldevice and a programmer device is found in U.S. Pat. No. 9,894,691,which is incorporated herein by reference.

In 402, the clinician uses the clinician programmer device to determinesuitable device and/or therapy parameters for the patient. For example,the clinician may employ a neurostimulation programming methodology toidentify suitable stimulation parameters to address chronic pain of thepatient using the St. Jude Medical™ Clinician Programmer App withBurstDR™ Stimulation executing on an iOS™ iPhone or iPad device (AppleCorp.). Any suitable medical device programming may occur includingprogramming of cardiac rhythm management therapies, deep brainstimulation therapies, cortical stimulation therapies, dorsal rootganglion stimulation therapies, and insulin, drug, pharmaceutical, orbiologic delivery therapies, as examples.

In 403, the clinician programmer device attempts to establish a networkconnection with one or more server(s) 104. For this workflow, it isassumed that the network connection is not available. For example, theclinician location may interfere with or block network connectivity.After the network connection fails, the clinician programmer signs thevalidation data with its local key (404). In some embodiments, theclinician programmer calculates the checksum data and encrypts the datawith its local key. Any suitable key signing operations may be applied.In 405, the clinician programmer device communicates programming dataand validation data to the patient device. The patient device may thenprovide operations according to the programming data after completingthe processing the programming data and validation data as discussedherein.

At a later time, the user/patient establishes a connection between apatient external device and the patient (implantable) medical device(406). In 407, the patient external device receives programming datafrom patient medical device that is only signed with a clinician key. In408, the patient external device establishes a network connection andcommunicates with remote server(s) 104. In 409, the remote server 104validates programming data. In 410, upon proper validation, the remoteserver 104 generates validation data signed with private keycorresponding to patient device 301. When the validation processdetermines that the programming data is improper, further operations arediscussed below. In 411, upon successful validation, the validation datais communicated from the server 104 to external device and then topatient device. In 412, the implantable or personal medical devicereplaces the old validation data (signed with the clinician key) withthe new validation data (signed with the private key corresponding tothe medical device 301).

FIG. 5 depicts programming data validation operations according to someembodiments. As previously discussed, certain programming operations mayoccur between a clinician programmer device and patient medical deviceswithout using network connectivity between the clinician programmer andone or more remote servers. FIG. 5 describes operations performed aftera clinician has performed such non-networked programming sessions.

In 501, the clinician establishes a connection between clinicianprogrammer device and remote server. The establishment of thecommunication connection may involve one or more known network securityprocesses including the use of user identifiers, passwords, keyexchanges, network location analysis, and/or the like to validate theidentity of the clinician and/or the clinician device.

In 502, the clinician programmer device uploads programming data signedwith clinician key with relevant metadata for the non-networkedprogramming sessions. The metadata may include relevant data such aspatient identifier(s), patient device identifier(s), programming sessiontime and date, the physical location of a programming session, and/orthe like. In 503, the remote server stores uploaded programming data andmetadata. In 504, the remote server conducts validation operations onuploaded data. In 505, the remote server generates new validation signedwith patient device keys pending communication sessions with devices.The new validation may be communicated to patient devices uponsubsequent connections with the patient devices to the one or moreremote servers (see 406-412 in FIG. 4). The patient controller devicesthen, in turn, communicate the new (permanent) validation data to therespective IMDs of the patients.

In describing some embodiments herein, it has been assumed that theprogramming of IMDs in an offline mode has occurred in an authorizedmanner. Although the management of cryptographic keys and use of thekeys for validation operations increases the security of the programmingprocess, it is possible that one or more cryptographic keys may becompromised for unauthorized use. FIG. 6 depicts programming dataanalysis operations according to some embodiments to detect andremediate instances of unauthorized programming.

In 601, offline programming data is received from patient controllerdevices. For example, a given patient may return home after thepatient's IMD was programmed in an offline manner at a doctor's officeat a health care facility. The patient may check the status of thepatient's implant and retrieve physiological data for display on thepatient's patient controller device. When performing these operations,the patient controller may employ a network connection at the patient'sresidence to connect to a remote care/device management system. Thepatient controller device then automatically uploads the programmingdata (therapeutic settings and/or programming metadata) to the devicemanagement system.

In 602, offline programming data is received from clinician programmerdevices. After online programming sessions occur, the respectiveclinicians may return theft devices to a suitable (e.g., centralized)location for their offices. The clinician programmers may be connectedto a wired network (e.g., an office ethernet local area network) orother network. When connected, the clinician programmers thenautomatically upload the programming data (therapeutic settings and/orprogramming metadata) to the device management system.

In 603, the device management system identifies offline programming datafrom patient controller devices that does not correspond to offlineprogramming data received from authorized clinician programmer devices.Reconciliation between the programming data received from patientcontroller devices and clinician programmer devices occur. When a givenclinician programmer device connects with the device management system,the clinician programmer device is authenticated using transmission ofclinician identifiers and credentials and other appropriate securityoperations. The authenticated clinician programmer may provide a list ofall programming sessions performed since the last time that theclinician programmer connected with the device management system. Thedevice management system will then possess a record of valid offlineprogramming sessions. If the device management system has a record of anoffline programming session with programming data identifying therespective clinician programmer as received from a patient controllerdevice but the properly authenticated clinician programmer does notreport the programming session, it is likely that unauthorizedprogramming has occurred.

Other reconciliations operations may be applied. For example, analysisof programming data may reveal that two clinician programming devicesconducted programming sessions in disparate geographical locations in asimilar time frame. Identification of such programming sessions mayindicate that a clinician programming device has been cloned.

In 604, one or more compromised cryptographic keys are identified. Thecryptographic key for a given clinician and/or clinician device that wasused in an authorized programming session is identified using theprogramming session metadata. In 605, revocation data for compromisedkeys and/or unauthorized offline programming is distributed. Therevocation data may cause IMDs to automatically delete or otherwiserender invalid any programming data identified to be unauthorized. Also,the revocation of now entrusted cryptographic keys will prevent futureunauthorized offline programming sessions for IMDs associated withpatient devices connecting to the device management system and receivingthe download of revocation data.

FIG. 7 depicts programming data validation operations for offlineprogramming according to some embodiments.

In 701, a communication session is established with an IMD by aclinician programming device. In 702, the clinician programming deviceprovides offline programming limits to IMD. The offline programminglimitations control the changes to therapeutic settings that may beapplied in an offline mode. For example, the clinician may determinethat certain electrodes of a deep brain stimulation system causeundesired side effects on the patient due to their location proximate torelevant neural tissue. The clinician may provide limitations thatprevent therapeutic settings from using such electrodes when programmedin an offline mode. Similarly, the clinician may identify certaincardiac rhythm therapies or cardiac therapy settings that are possiblyunsuitable for a given patient. The clinician may prevent use of suchtherapies or settings by defining suitable limitations.

In 703, a clinician programmer establishes an offline programmingsession with IMD at a later time. In 704, the clinician programmerprovides new or modified therapeutic settings to the IMD. In 705, theIMD compares the new or modified therapeutic settings against thepreviously defined offline programming limitations. In 706, the IMDaccepts the new or modified therapeutic settings when permitted byoffline programming limitations. If the changes are not permitted, theIMD may signal to the clinician programmer that the changes are notaccepted (not shown) and a network connection to the device managementsystem is necessary to program beyond the defined limitations.

As discussed herein, some embodiments may be employed for operationsrelated to programming implantable medical devices such asneurostimulation devices, cardiac rhythm management devices, glucosemonitoring devices, and medical agent infusion devices as examples.

FIG. 8 depicts a neurostimulation system that may be employed accordingto some embodiments. Neurostimulation systems are devices that generateelectrical pulses and deliver the pulses to nerve tissue of a patient totreat a variety of disorders. Spinal cord stimulation (SCS) is the mostcommon type of neurostimulation within the broader field ofneuromodulation. In SCS, electrical pulses are delivered to nerve tissueof the spinal cord for the purpose of chronic pain control. While aprecise understanding of the interaction between the applied electricalenergy and the nervous tissue is not fully appreciated, it is known thatapplication of an electrical field to spinal nervous tissue caneffectively inhibit certain types of pain transmitted from regions ofthe body associated with the stimulated nerve tissue to the brain. Undercertain stimulation conditions, applying electrical energy to the spinalcord associated with regions of the body afflicted with chronic pain caninduce “paresthesia” (a subjective sensation of numbness or tingling) inthe afflicted bodily regions. Certain stimulation patterns (such asBurstDR™ stimulation provided by pulse generators of Abbott) modulateneural activity to reduce chronic pain without inducing paresthesia.

SCS systems generally include a pulse generator and one or more leads. Astimulation lead includes a lead body of insulative material thatencloses wire conductors. The distal end of the stimulation leadincludes multiple electrodes that are electrically coupled to the wireconductors. The proximal end of the lead body includes multipleterminals (also electrically coupled to the wire conductors) that areadapted to receive electrical pulses. The distal end of a respectivestimulation lead is implanted within the epidural space to deliver theelectrical pulses to the appropriate nerve tissue within the spinalcord. The stimulation leads are then tunneled to another location withinthe patient's body to be electrically connected with a pulse generatoror, alternatively, to an “extension.”

The pulse generator is typically implanted within a subcutaneous pocketcreated during the implantation procedure. In SCS, the subcutaneouspocket is typically disposed in a lower back region, althoughsubclavicular implantations and lower abdominal implantations arecommonly employed for other types of neuromodulation therapies.

Stimulation system 800 generates electrical pulses for application totissue of a patient, or subject, according to one embodiment.Stimulation system 800 includes an implantable pulse generator (IPG) 850that is adapted to generate electrical pulses for application to tissueof a patient. Implantable pulse generator 850 typically includes ametallic housing that encloses a controller 851, pulse generatingcircuitry 852, a battery 853, far-field and/or near field communicationcircuitry 854, and other appropriate circuitry and components of thedevice. Controller 851 typically includes a microcontroller or othersuitable processor for controlling the various other components of thedevice. Software code is typically stored in memory of implantable pulsegenerator 850 for execution by the microcontroller or processor tocontrol the various components of the device. The software code storedin memory of pulse generator 850 may support operations of embodimentsdisclosed herein.

Implantable pulse generator 850 may comprise one or more attachedextension components 870 or be connected to one or more separateextension components 870. Alternatively, one or more stimulation leads810 may be connected directly to implantable pulse generator 850. Withinimplantable pulse generator 850, electrical pulses are generated bypulse generating circuitry 852 and are provided to switching circuitry.The switching circuit connects to output wires, traces, lines, or thelike (not shown) which are, in turn, electrically coupled to internalconductive wires (not shown) of a lead body 872 of extension component870. The conductive wires, in turn, are electrically coupled toelectrical connectors (e.g., “Bal-Seal” connectors) within connectorportion 871 of extension component 870. The terminals of one or morestimulation leads 810 are inserted within connector portion 871 forelectrical connection with respective connectors. Thereby, the pulsesoriginating from implantable pulse generator 850 and conducted throughthe conductors of lead body 872 are provided to stimulation lead 810.The pulses are then conducted through the conductors of stimulation lead810 and applied to tissue of a patient via electrodes 811. Any suitableknown or later developed design may be employed for connector portion871.

For implementation of the components within implantable pulse generator850, a processor and associated charge control circuitry for animplantable pulse generator is described in U.S. Pat. No. 7,571,007,entitled “SYSTEMS AND METHODS FOR USE IN PULSE GENERATION,” which isincorporated herein by reference. Circuitry for recharging arechargeable battery of an implantable pulse generator using inductivecoupling and external charging circuits are described in U.S. Pat. No.7,212,110, entitled “IMPLANTABLE DEVICE AND SYSTEM FOR WIRELESSCOMMUNICATION,” which is incorporated herein by reference.

An example and discussion of “constant current” pulse generatingcircuitry is provided in U.S. Patent Publication No. 2006/0170486entitled “PULSE GENERATOR HAVING AN EFFICIENT FRACTIONAL VOLTAGECONVERTER AND METHOD OF USE,” which is incorporated herein by reference.One or multiple sets of such circuitry may be provided withinimplantable pulse generator 850. Different pulses on differentelectrodes may be generated using a single set of pulse generatingcircuitry using consecutively generated pulses according to a“multi-stimset program” as is known in the art. Alternatively, multiplesets of such circuitry may be employed to provide pulse patterns thatinclude simultaneously generated and delivered stimulation pulsesthrough various electrodes of one or more stimulation leads as is alsoknown in the art. Various sets of parameters may define the pulsecharacteristics and pulse timing for the pulses applied to variouselectrodes as is known in the art. Although constant current pulsegenerating circuitry is contemplated for some embodiments, any othersuitable type of pulse generating circuitry may be employed such asconstant voltage pulse generating circuitry.

Stimulation lead(s) 810 may include a lead body of insulative materialabout a plurality of conductors within the material that extend from aproximal end of stimulation lead 810 to its distal end. The conductorselectrically couple a plurality of electrodes 811 to a plurality ofterminals (not shown) of stimulation lead 810. The terminals are adaptedto receive electrical pulses and the electrodes 811 are adapted to applystimulation pulses to tissue of the patient. Also, sensing ofphysiological signals may occur through electrodes 811, the conductors,and the terminals. Additionally or alternatively, various sensors (notshown) may be located near the distal end of stimulation lead 810 andelectrically coupled to terminals through conductors within the leadbody 872. Stimulation lead 810 may include any suitable number ofelectrodes 811, terminals, and internal conductors.

FIGS. 9A-9C respectively depict stimulation portions 900, 925, and 950for inclusion at the distal end of stimulation lead 110. Stimulationportions 900, 925, and 950 each include one or more electrodes 821.Stimulation portion 900 depicts a conventional stimulation portion of a“percutaneous” lead with multiple ring electrodes. Stimulation portion925 depicts a stimulation portion including several “segmentedelectrodes.” The term “segmented electrode” is distinguishable from theterm “ring electrode.” As used herein, the term “segmented electrode”refers to an electrode of a group of electrodes that are positioned atthe same longitudinal location along the longitudinal axis of a lead andthat are angularly positioned about the longitudinal axis so they do notoverlap and are electrically isolated from one another. Examplefabrication processes are disclosed in U.S. Patent Publication No.2011/0072657, entitled, “METHOD OF FABRICATING STIMULATION LEAD FORAPPLYING ELECTRICAL STIMULATION TO TISSUE OF A PATIENT,” which isincorporated herein by reference. Stimulation portion 950 includesmultiple planar electrodes on a paddle structure.

Controller device 860 (shown in FIG. 8) may be implemented to rechargebattery 853 of implantable pulse generator 850 (although a separaterecharging device could alternatively be employed), A “wand” 865 may beelectrically connected to controller device 860 through suitableelectrical connectors (not shown). The electrical connectors areelectrically connected to a “primary” coil 866 at the distal end of wand865 through respective wires (not shown). Typically, primary coil 866 isconnected to the wires through capacitors (not shown). Also, in someembodiments, wand 865 may comprise one or more temperature sensors foruse during charging operations.

The patient then places the primary coil 866 against the patient's bodyimmediately above the secondary coil (not shown), i.e., the coil of theimplantable medical device. Preferably, the primary coil 866 and thesecondary coil are aligned in a coaxial manner by the patient forefficiency of the coupling between the primary and secondary coils.Controller device 860 generates an AC-signal to drive current throughprimary coil 866 of wand 865. Assuming that primary coil 866 andsecondary coil are suitably positioned relative to each other, thesecondary coil is disposed within the field generated by the currentdriven through primary coil 866. Current is then induced in secondarycoil. The current induced in the coil of the implantable pulse generatoris rectified and regulated to recharge battery of implantable pulsegenerator 650. The charging circuitry may also communicate statusmessages to controller device 868 during charging operations usingpulse-loading or any other suitable technique. For example, controllerdevice 860 may communicate the coupling status, charging status, chargecompletion status, etc.

External controller device 860 is also a device that permits theoperations of implantable pulse generator 850 to be controlled by userafter implantable pulse generator 850 is implanted within a patient,although in alternative embodiments separate devices are employed forcharging and programming. Also, multiple controller devices may beprovided for different types of users (e.g., the patient or aclinician). Controller device 860 can be implemented by utilizing asuitable handheld processor-based system that possesses wirelesscommunication capabilities. Software is typically stored in memory ofcontroller device 860 to control the various operations of controllerdevice 860. The software code stored in memory of device 860 may supportthe operations according to embodiments disclosed herein. Also, thewireless communication functionality of controller device 860 can beintegrated within the handheld device package or provided as a separateattachable device. The user interface functionality of controller device860 is implemented using suitable software code for interacting with theuser and using the wireless communication capabilities to conductcommunications with implantable pulse generator 850.

Controller device 860 preferably provides one or more user interfaces toavow the user to operate implantable pulse generator 850 according toone or more stimulation programs to treat the patient's disorder(s).Each stimulation program may include one or more sets of stimulationparameters including pulse amplitude, pulse width, pulse frequency orinter-pulse period, pulse repetition parameter (e.g., number of timesfor a given pulse to be repeated for respective stimset during executionof program), etc. Implantable pulse generator 850 modifies its internalparameters in response to the control signals from controller device 860to vary the stimulation characteristics of stimulation pulsestransmitted through stimulation lead 810 to the tissue of the patient.Neurostimulation systems, stimsets, and multi-stimset programs arediscussed in PCT Publication No. WO 2001/93953, entitled“NEUROMODULATION THERAPY SYSTEM,” and U.S. Pat. No. 7,228,179, entitled“METHOD AND APPARATUS FOR PROVIDING COMPLEX TISSUE STIMULATIONPATTERNS,” which are incorporated herein by reference.

Pulse generator device 850 and controller device 860 may be adapted toapply different types of neurostimulation. One or more stimulation setsor programs may be defined with tonic stimulation. Also, these devicesmay support burst stimulation as disclosed in U.S. Pat. No. 8,934,981which is incorporated herein by reference. In burst stimulation, groupsof pulses are provided at a relatively high frequency (greater than 250Hz) with adjacent groups of pulses separated by a quiet period. Thegroups are repeated at a relatively lower frequency (e.g., 40 Hz orother physiologically relevant frequencies). These devices may support“noise” stimulation such as described in U.S. Pat. No. 9,498,634, whichis incorporated herein by references. These devices may also supporthigh frequency stimulation (e.g., 1500 Hz-20.000 Hz).

Example commercially available neurostimulation systems include thePROTEGE™, PRODIGY™, PROCLAIM™, INFINITY™ pulse generators and CLINICIANPROGRAMMER APP from Abbott Laboratories. Example commercially availablestimulation leads include the QUATTRODE™, OCTRODE™, AXXESS™, LAMITRODE™,TRIPOLE™, EXCLAIM™, PENTA™, and INFINITY™ stimulation leads from AbbottLaboratories.

FIG. 10 illustrates one embodiment of a computer system (e.g., a networkserver platform) 1002 that facilitates medical device management inaccordance with some embodiments. Computer system 1002 includesprocessor 1004, memory 1006, storage device 1008, display 1010,interface components 1012, keyboard 1014. Computer system 1002 includesnetwork interface 1018 for conducting network communications.

Memory 1006 can include a volatile and non-volatile memory. Storagedevice 1008 can store operating system 1020, device managementapplications 1022 for management of implantable devices and provision ofremote medical care, and data 1024. Device management applications 1022may include applications with software code to perform operationsdiscussed herein including communication with patient controllerdevices, communication with clinician programmer devices validation oftherapeutic data from clinician programming, analysis of programmingdata, auditing operations, distribution of revocation data, and anyother appropriate device management operations.

Computer system 1002 may also store and access data through a cloudcomputing architecture with relevant data distributed across multipleplatforms at different physical locations. Data 1024 can include anydata relevant to patients, medical devices, physiological data,therapeutic settings, clinicians, and clinician devices for themanagement of medical devices, monitoring of patient status, detectionof patient conditions, and any other task related to remote monitoringand management of health care for patients with medical devices. Data1024 may include any of the data discussed herein.

The data structures and code described in this detailed description aretypically stored on a computer-readable storage medium, which may be anydevice or medium that can store code and/or data for use by a computersystem. The computer-readable storage medium includes, but is notlimited to, volatile memory, non-volatile memory, magnetic and opticalstorage devices such as disk drives, magnetic tape, CDs (compact discs),DVDs (digital versatile discs or digital video discs), or other mediacapable of storing computer-readable media now known or later developed.

The methods and processes described in the detailed description sectioncan be embodied as code and/or data, which can be stored in acomputer-readable storage medium as described above. When a computersystem reads and executes the code and/or data stored on thecomputer-readable storage medium, the computer system performs themethods and processes embodied as data structures and code and storedwithin the computer-readable storage medium.

Furthermore, the methods and processes described above can be includedin hardware modules. For example, the hardware modules can include, butare not limited to, application-specific integrated circuit (ASIC)chips, field-programmable gate arrays (FPGAs), and otherprogrammable-logic devices now known or later developed. When thehardware modules are activated, the hardware modules perform the methodsand processes included within the hardware modules.

FIG. 11 depicts a collection of medical devices 1105 managed by amedical device management system according to some embodiments. Themedical device management system includes a plurality of computersystems 1002 connected to network 1101 for management of devices 1105.The devices may include any number of devices and types of devicesincluding neurostimulation devices, cardiac rhythm management devices,glucose monitoring devices, and medical agent infusion devices asexamples. The devices may include the medical devices that provide themedical therapy and/or monitoring functionality, the patient controllerdevices, and clinician devices. The devices may monitor and communicatepatient data for communication to one or more server platforms 1002. Thepatient data may include any relevant physiological data such as cardiacactivity, respiration data, glucose levels, neurological activity,physical activity data, and/or the like. Communication of therapeuticsettings, programming data, validation data, and revocation data betweendevices 1105 and one or more server platforms 1002 may occur asdiscussed herein.

One or more of the operations described above in connection with themethods may be performed using one or more processors. The differentdevices in the systems described herein may represent one or moreprocessors, and two or more of these devices may include at least one ofthe same processors. In one embodiment, the operations described hereinmay represent actions performed when one or more processors (e.g., ofthe devices described herein) execute program instructions stored inmemory (for example, software stored on a tangible and non-transitorycomputer readable storage medium, such as a computer hard drive, ROM,RAM, or the like).

The processor(s) may execute a set of instructions that are stored inone or more storage elements, in order to process data. The storageelements may also store data or other information as desired or needed.The storage element may be in the form of an information source or aphysical memory element within the controllers and the controllerdevice. The set of instructions may include various commands thatinstruct the controllers and the controller device to perform specificoperations such as the methods and processes of the various embodimentsof the subject matter described herein. The set of instructions may bein the form of a software program. The software may be in various formssuch as system software or application software. Further, the softwaremay be in the form of a collection of separate programs or modules, aprogram module within a larger program or a portion of a program module.The software also may include modular programming in the form ofobject-oriented programming. The processing of input data by theprocessing machine may be in response to user commands, or in responseto results of previous processing, or in response to a request made byanother processing machine.

The controller may include: any processor-based or microprocessor-basedsystem including systems using microcontrollers, reduced instruction setcomputers (RISC), application specific integrated circuits (ASICs),field-programmable gate arrays (FPGAs), logic circuits, and any othercircuit or processor capable of executing the functions describedherein. When processor-based, the controller executes programinstructions stored in memory to perform the corresponding operations.Additionally or alternatively, the controllers and the controller devicemay represent circuits that may be implemented as hardware. The aboveexamples are exemplary only and are thus not intended to limit in anyway the definition and/or meaning of the term “controller.”

It is to be understood that the subject matter described herein is notlimited in its application to the details of construction and thearrangement of components set forth in the description herein orillustrated in the drawings hereof. The subject matter described hereinis capable of other embodiments and of being practiced or of beingcarried out in various ways. Also, it is to be understood that thephraseology and terminology used herein is for the purpose ofdescription and should not be regarded as limiting. The use of“including,” “comprising,” or “having” and variations thereof herein ismeant to encompass the items listed thereafter and equivalents thereofas well as additional items.

It is to be understood that the above description is intended to beillustrative, and not restrictive. For example, the above-describedembodiments (and/or aspects thereof) may be used in combination witheach other. In addition, many modifications may be made to adapt aparticular situation or material to the teachings of the inventionwithout departing from its scope. While the dimensions, types ofmaterials and coatings described herein are intended to define theparameters of the invention, they are by no means limiting and areexemplary embodiments. Many other embodiments will be apparent to thoseof skill in the art upon reviewing the above description. The scope ofthe invention should, therefore, be determined with reference to theappended claims, along with the full scope of equivalents to which suchclaims are entitled. In the appended claims, the terms “including” and“in which” are used as the plain-English equivalents of the respectiveterms “comprising” and “wherein,” Moreover, in the following claims, theterms “first,” “second,” and “third,” etc, are used merely as labels,and are not intended to impose numerical requirements on their objects.Further, the limitations of the following claims are not written inmeans-plus-function format and are not intended to be interpreted basedon 45 U.S.C. § 112(f), unless and until such claim limitations expresslyuse the phrase ‘means for’ followed by a statement of function void offurther structure.

The invention claimed is:
 1. A method for operating a system formanagement of implantable medical devices (IMDs), comprising: conductingcommunications sessions with a plurality of clinician programmerdevices, wherein some of the communication sessions occur while theplurality of clinician programmer devices are engaged in respectiveprogramming sessions with IMDs and wherein the communication sessionswith the plurality of clinician programmer devices include communicationof data pertaining to offline programming of IMDs; conductingcommunications sessions with a plurality of patient controller devices,wherein the communication sessions with the patient controller devicesinclude communication of data pertaining to offline programming of IMDs;reconciling programming session data received from the plurality ofclinician programmer devices with programming session data received frompatient controller devices to identify instances of unauthorized IMDprogramming; and distributing revocation data to patient controllerdevices to be downloaded to corresponding IMDs, wherein the revocationdata identifies cryptographic keys that are no longer trusted.
 2. Themethod of claim 1 further comprising: identifying a legitimate clinicianprogrammer device that uses a cryptographic key to be revoked; andreplacing the cryptographic key on the legitimate clinician programmerdevice during a communication session with the respective clinicianprogrammer device.
 3. The method of claim 2 wherein the identifying andreplacing are performed before the revocation data for the cryptographickey of the legitimate clinician programmer device is revoked.
 4. Themethod of claim 2 wherein the cryptographic key is identified as beingused on another unauthorized clinician programmer device.
 5. The methodof claim 1 wherein the reconciling identifies use of a commoncryptographical key on two separate clinician programmer devices.
 6. Themethod of claim 1 wherein the reconciling identifies a cloned clinicianprogramming device conducting programming concurrently with programmingby a corresponding legitimate clinician programming device.
 7. Themethod of claim 1 wherein the IMDs communicate programming sessionmetadata for analysis during the reconciling to identify unauthorizedprogramming.
 8. The method of claim 7 wherein the programming sessionmetadata includes clinician programmer device details.
 9. The method ofclaim 7 wherein the programming session metadata includes clinicianidentity credentials.
 10. The method of claim 7 wherein the programmingsession metadata includes programming timing data.
 11. A method foroperating a system for management of implantable medical devices (IMDs),comprising: conducting communications sessions with a plurality ofclinician programmer devices, wherein some of the communication sessionsoccur while the plurality of clinician programmer devices are engaged inrespective programming sessions with IMDs and wherein the communicationsessions with the plurality of clinician programmer devices includecommunication of data pertaining to offline programming of IMDs;conducting communications sessions with a plurality of patientcontroller devices, wherein the communication sessions with the patientcontroller devices include communication of data pertaining to offlineprogramming of IMDs; reconciling programming session data received fromthe plurality of clinician programmer devices with programming sessiondata received from patient controller devices to identify instances ofunauthorized IMD programming, wherein the reconciling identifies use ofone or more compromised cryptographic keys to perform offlineprogramming of one or more IMDs; and distributing revocation data topatient controller devices to be downloaded to corresponding IMDs,wherein the revocation data identifies cryptographic keys that are nolonger trusted.
 12. The method of claim 11 further comprising:identifying a legitimate clinician programmer device that uses acryptographic key to be revoked; and replacing the cryptographic key onthe legitimate clinician programmer device during a communicationsession with the respective clinician programmer device.
 13. The methodof claim 12 wherein the identifying and replacing are performed beforethe revocation data for the cryptographic key of the legitimateclinician programmer device is revoked.
 14. The method of claim 12wherein the cryptographic key is identified as being used on anotherunauthorized clinician programmer device.
 15. The method of claim 11wherein the reconciling identifies use of a common cryptographical keyon two separate clinician programmer devices.
 16. The method of claim 11wherein the reconciling identifies a cloned clinician programming deviceconducting programming concurrently with programming by a correspondinglegitimate clinician programming device.
 17. The method of claim 11wherein the MDs communicate programming session metadata for analysisduring the reconciling to identify unauthorized programming.
 18. Themethod of claim 17 wherein the programming session metadata includesclinician programmer device details.
 19. The method of claim 17 whereinthe programming session metadata includes clinician identitycredentials.
 20. The method of claim 17 wherein the programming sessionmetadata includes programming timing data.